Data Processing Addendum

DATA PROCESSING ADDENDUM
1. Scope of this Data Processing Addendum (“DPA”)
1.1 This DPA forms part of the Terms between you and Loom with regard to the processing of personal data that is subject to the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"). Terms used herein that are not otherwise defined have the meanings given in the Terms.
1.2 The parties agree that Loom acts as a data processor for you in providing the Service.
3. "Personal data" has the meaning given in the GDPR.


2. Processing of personal data
2.1 The parties agree that Loom will process the personal data only for the purposes of providing the Service.
2.2 You acknowledge that Loom is a U.S. company and will process the personal data in the United States. To the extent that any personal data will be transferred from the European Economic Area to the United States, Loom agrees to enter into standard contractual clauses based on the European Commission Decision C(2010)593 or any such clauses amending, replacing or superseding the standard contractual clauses by a European Commission decision or by a decision made by any other authorized body.

3. Loom's general obligations
3.1 Loom must ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Loom shall implement appropriate technical and organizational measures to prevent the personal data from being:
(i) accidentally or unlawfully destroyed, lost or altered,
(ii) disclosed or made available without authorization, or
(iii)otherwise processed in violation of applicable laws.
3.3 The appropriate technical and organizational security measures must be determined with due regard for:
(i) the current state of the art,
(ii) the cost of their implementation, and
(iii)the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
3.4 Loom shall upon request provide you with sufficient information to enable you to ensure that Loom complies with its obligations under this DPA, including ensuring that the appropriate technical and organizational security measures have been implemented.
3.5 You are entitled at your own cost to appoint an independent expert who shall have access to Loom's premises and receive the necessary information in order to be able to audit whether Loom complies with its obligations under this DPA, including ensuring that the appropriate technical and organizational security measures have been implemented. You shall provide Loom with 14 days prior written notice and you are obligated to ensure that the expert signs a customary non-disclosure agreement, and treats all information obtained or received from Loom confidentially, and may only share the information with you. Any findings or reports created on the basis of such an inspection must be shared with Loom and shall be regarded as confidential information.
3.6 Loom must without undue delay after becoming aware of the facts in writing notify you about:
(i) any request for disclosure of personal data processed under this DPA by authorities, unless expressly prohibited under European Union or member state law,
(ii) any finding of (a) breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed by Loom in connection with the Service, or (b) other failure to comply with Loom's obligations under this DPA, or
(iii) any request for access to the personal data received directly from the data subjects or from third parties relating to the processing of personal data on your behalf.
3.7 Loom must promptly assist you with the handling of any requests from data subjects under Chapter III of the GDPR, including requests for access, rectification, blocking or deletion, which relates to the processing of personal data in connection with the Service.
3.8 Loom must assist you with meeting the other obligations that may be incumbent on you according to European Union or member state law related to data processing where the assistance of Loom is implied, and where the assistance of Loom is necessary for you to comply with your data protection obligations.

4. Subprocessors
4.1 You hereby grant Loom a general authorization to engage subprocessors. At the time of this DPA, Loom uses the subprocessors listed on our Privacy for Humans page to provide the Service. Loom undertakes to inform you of any intended changes concerning the addition or replacement of a subprocessor by providing prior written notice via your account. If you can document objective and valid reasons not to accept suggested new subprocessors, you may object to the use of these suggested new subprocessors. If Loom chooses not to suggest alternative subprocessors, or if you have valid and objective reasons to object to all suggested alternatives, you are entitled to terminate the Terms with Loom within 30 days after receiving notice hereof.
4.2 Prior to the engagement of a subprocessor, Loom shall conclude a written agreement with the subprocessor, in which at least the same data protection obligations as set out in this DPA shall be imposed on the subprocessor, including an obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

5. Term and consequences of the termination of this DPA
5.1 The term of this DPA shall correspond to the term of the Terms.
5.2. On your request, Loom shall immediately transfer or delete (including anonymize) personal data which Loom is processing for you, unless European Union or member state law requires storage of the personal data.

6. Priority
6.1 If any of the provisions of this DPA conflict with the provisions of the Terms, the provisions of this DPA shall prevail.